New ‘SkillCloak’ Technique Allows Malicious AI Agent Skills to Evade Detection

Recent research has unveiled a method called ‘SkillCloak’ that enables malicious add-on skills for AI coding agents to bypass static security scanners. This technique involves subtle modifications to the skill’s code, allowing the malware to remain functional while evading detection.

AI coding agents like Claude Code, OpenAI Codex, and OpenClaw utilize ‘skills’—small packages containing instructions and scripts—to enhance their capabilities. These skills, often sourced from public marketplaces with minimal vetting, run with the agent’s access privileges, posing significant security risks if compromised.

Traditionally, static scanners have been employed to inspect these skills before installation, aiming to block any that appear harmful. However, the ‘SkillCloak’ method challenges the effectiveness of this defense. Researchers from the Hong Kong University of Science and Technology demonstrated that by altering specific code elements—such as substituting characters with similar-looking ones from different alphabets or splitting commands across new lines—malicious skills can evade detection while maintaining their intended functionality.

A more advanced variant of this technique involves ‘self-extracting packing,’ where the malicious payload is concealed within directories typically ignored by scanners, like .git/. A benign-looking decoder reconstructs the skill only during execution, exploiting the scanner’s blind spots. In tests involving 1,613 real malicious skills from ClawHub, this packing method successfully bypassed eight different scanners over 90% of the time, with some exceeding a 99% evasion rate.

To counteract these evasion tactics, the researchers developed ‘SKILLDETONATE,’ a runtime behavior analysis tool. By executing the skill in a controlled environment and monitoring its actions—such as file access and data transmission—this tool effectively identifies malicious behavior that static scanners might miss. In controlled tests, SKILLDETONATE detected 97% of attacks with a false positive rate of 2%, outperforming traditional scanners, especially against cloaked skills.

These findings underscore the limitations of static scanning methods and highlight the necessity for dynamic analysis tools that assess the behavior of skills during execution. As AI coding agents become more integrated into development workflows, ensuring the security of their add-on skills is paramount to protect sensitive data and maintain system integrity.

In light of these developments, it’s crucial for organizations to adopt comprehensive security measures that include both static and dynamic analysis techniques. Relying solely on pre-installation scans is insufficient, as attackers continually develop methods to circumvent these defenses. Implementing runtime behavior monitoring can provide a more robust defense against sophisticated evasion tactics like ‘SkillCloak.’